[PATCH] Fix a crash with XDMCP error handler
walter harms
wharms at bfs.de
Sun Jan 25 10:33:03 PST 2015
Am 21.01.2015 10:56, schrieb Olivier Fourdan:
> The XdmpcpFatal() error handler uses a string format that the
> vpnprintf() routine does not understand, as a result any XDMCP
> fatal error leads to a server crash:
>
> (EE) (EE) BUG: triggered 'if (f[f_idx])'
> (EE) BUG: log.c:474 in vpnprintf()
> (EE) Unsupported printf directive '*'
>
> Rework the XdmpcpFatal() code to use a simpler string format
> instead.
>
> Signed-off-by: Olivier Fourdan <ofourdan at redhat.com>
> ---
> os/xdmcp.c | 7 +++++--
> 1 file changed, 5 insertions(+), 2 deletions(-)
>
> diff --git a/os/xdmcp.c b/os/xdmcp.c
> index b6e97c9..374ac08 100644
> --- a/os/xdmcp.c
> +++ b/os/xdmcp.c
> @@ -1409,8 +1409,11 @@ recv_alive_msg(unsigned length)
> static void
> XdmcpFatal(const char *type, ARRAY8Ptr status)
> {
> - FatalError("XDMCP fatal error: %s %*.*s\n", type,
> - status->length, status->length, status->data);
> + char error_message[256]; /* status length is CARD8 */
> +
> + memcpy(error_message, status->data, status->length);
> + error_message[status->length] = '\0';
> + FatalError("XDMCP fatal error: %s. %s\n", type, error_message);
> }
>
> static void
just a minor question ...
Since you use a fixed size buffer ... no chance that status->length ever > 255 ??
re,
wh
More information about the xorg-devel
mailing list